Cozzy Privacy Policy

Version 9 · Effective 7 April 2026

Last Updated: April 5, 2026

Cozzy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share your personal data when you use our mobile application Cozzy (the "App").

We operate in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, the EU Artificial Intelligence Act, and Irish data protection laws as enforced by the Data Protection Commission (DPC).

---

1. Not Financial Advice

Cozzy is an educational and informational tool. We are not providing financial, investment, tax, legal, or other professional advice. Any insights, categorisations, projections, or content shown in the App are for general information only and should not be relied upon as a substitute for advice from a qualified professional.

---

2. Age Requirements

Cozzy is intended for users aged 16 and over.

If you are under 16 years of age, you are not permitted to use the App and must not create an account or provide any personal data to us.

By creating an account, you confirm that you are at least 16 years old. If we become aware that we have collected personal data from a user under 16 without appropriate legal basis, we will take steps to delete that information promptly.

If you are aged 16 or 17, we encourage you to review this Privacy Policy with a parent or guardian to ensure you understand how your data is used.

We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@cozzy.io so we can delete it.

The age of digital consent in Ireland is 16 (Data Protection Act 2018, Section 31). In the United Kingdom, it is 13 (UK GDPR, Article 8(1)). We apply the higher threshold of 16 across all jurisdictions.

---

3. Who We Are (Data Controller)

For the purpose of the GDPR, the Data Controller is:

Name: Cozzy Finance Limited
CRO Number: 812498
D-U-N-S: 984891033
Registered Address: Venture Hub, 136 Capel Street, Dublin 1, Dublin, D01 T2C9, Ireland
Email: support@cozzy.io

We have assessed our obligations under GDPR Article 37 and determined that a Data Protection Officer is not required at our current scale of operations. We keep this under review.

Data Protection Contact: privacy@cozzy.io — For all data protection queries, data subject access requests, or complaints. Requests sent to support@cozzy.io will be forwarded to the data protection contact without delay.

As Cozzy Finance Limited is established in Ireland (an EU Member State), no EU representative under GDPR Article 27 is required. For users in the United Kingdom, our UK contact point for data protection matters is privacy@cozzy.io.

---

4. Data We Collect

We collect the following types of information:

A. Information You Provide

Account Information: When you sign in via email, Google, or Apple, we collect your name and email address to create your account. If you sign in via Google or Apple, we may also collect your profile picture.
Customer Support: Any information you provide when you contact us for help.

B. Financial Data (via Open Banking)

To provide account aggregation and financial insights, we use Yapily Connect Limited ('Yapily'), an authorised Account Information Service Provider regulated by the UK Financial Conduct Authority (Firm Reference Number 827001). When you connect a bank account, you explicitly consent to Yapily accessing your data.

Data Processed: Account numbers, balances, transaction history, and account holder names.
Storage: We store this data securely on our backend (Supabase) to display it to you.
Note: We do not see or store your bank login credentials (PINs/passwords). These are handled directly by Yapily and your bank.

Your financial data originates from your bank and is transmitted to us via Yapily's regulated Open Banking API.

C. Device & Usage Data

Identifiers: Device ID and IP address.
Usage Data: How you use the app, crash logs, and performance data.

---

5. Legal Basis for Processing

We process your data under the following legal bases:

Consent: For connecting bank accounts (Open Banking), analytics cookies, and AI-powered features (see Section 10).
Contract: To provide the App's core features and manage your subscription.
Strictly Necessary Exemption (ePrivacy): Essential cookies that are strictly necessary for the App to function are exempt from consent requirements under Regulation 5(5) of S.I. No. 336/2011 (Ireland) and Regulation 6(4) of PECR (UK).
Legal Obligation: To comply with financial or tax regulations.
Legitimate Interest: To maintain security audit logs for fraud prevention and system integrity (GDPR Art. 6(1)(f)). We have conducted a balancing assessment and concluded that this processing does not override your rights because: (a) audit logs are anonymised on account deletion; (b) logs are automatically purged after defined retention periods; and (c) logs contain only technical metadata, not substantive financial data. You have the right to object to this processing under Article 21 — see Section 9.
Contract / Legitimate Interest (hosting and communications): Our hosting provider (Railway) processes API traffic as part of delivering the service (contract performance). Our email provider (Resend) sends transactional notifications under contract performance and legitimate interest in account security.

---

6. Third-Party Services (Data Processors)

We share data with trusted third-party providers to operate the App.

Service Provider	Purpose	Data Shared
Yapily Connect Limited	Open Banking Connectivity	Financial data, consent tokens. For the bank authorisation flow, Yapily acts as an independent data controller under its own privacy policy. For retrieving your account data on our behalf, Yapily acts as our data processor under a GDPR Article 28 agreement. We are not responsible for Yapily's processing as an independent controller — please review Yapily's Privacy Policy.
Supabase	Backend Database & Auth	User ID, email, authentication credentials (hashed), OAuth tokens, session data, encrypted app data.
Google Firebase	Analytics & Crashlytics	Device ID, crash logs, usage statistics. Analytics requires your consent; Crashlytics runs as an essential service for app reliability. Crash reporting is necessary to identify and resolve defects that would render the service unusable, and is justified under our legitimate interest in maintaining service security and reliability (GDPR Art. 6(1)(f)).
Google Cloud (Vertex AI)	AI-powered features (Olivia assistant, transaction categorisation)	Sanitised transaction descriptions, aggregated financial summaries. Sensitive data such as account numbers, IBANs, and personal identifiers are removed before processing (see Section 10). All AI processing occurs within the EU (europe-west4 region, Netherlands).
RevenueCat	Subscription Management	Purchase history, User ID (to sync subscriptions).
Sentry	Error Monitoring & Crash Analytics	Pseudonymised error logs, device info, app state. User IDs are hashed; emails, IP addresses, and personally identifiable data are stripped before transmission.
Railway	Application Hosting	All API request/response data in transit (encrypted via TLS). Server logs containing pseudonymised request identifiers.
Resend	Transactional Email Delivery	Email address, name, email content for account notifications.

---

7. International Data Transfers

Some of our partners (e.g., Supabase, RevenueCat) may process data in the United States. We ensure these transfers are protected using Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

AI processing data residency: All AI-powered features (Olivia and transaction categorisation) are processed exclusively within the European Union via Google Cloud's europe-west4 region (Netherlands). Your financial data sent to AI models does not leave the EU.

---

8. Data Retention & Deletion

We retain your personal data for defined periods based on the purpose of processing and our legal obligations:

Data Category	Retention Period	Justification
Account information	Duration of account + 30 days	Contract performance (GDPR Art. 6(1)(b))
Financial / transaction data	Duration of account + 6 years	Legitimate interest in defending potential legal claims: Statute of Limitations Act 1957 s.11 (Ireland); Limitation Act 1980 s.5 (UK)
AI insights (Olivia responses)	Duration of account or until AI consent withdrawn	Consent (GDPR Art. 6(1)(a)); deleted immediately upon consent withdrawal
AI categorisation audit logs	90 days	Legitimate interest in service quality and debugging (GDPR Art. 6(1)(f))
AI interaction audit logs	90 days	Legitimate interest in security auditing and abuse prevention (GDPR Art. 6(1)(f))
AI security event logs	365 days	Legitimate interest in fraud prevention and incident investigation (GDPR Art. 6(1)(f))
Vertex AI abuse monitoring data (Google)	Up to 55 days	Managed by Google per Cloud Data Processing Addendum; not under Cozzy's control. Data is PII-scrubbed before transmission.
Analytics data	14 months	Firebase Analytics default; data minimisation (GDPR Art. 5(1)(e))
Crash logs	90 days	Firebase Crashlytics default; data minimisation
Cookie consent records	6 months (then renewal)	DPC guidance on consent renewal cycles
Support correspondence	2 years from resolution	Customer service quality and dispute resolution

Retention periods are enforced automatically by scheduled data management processes. Data beyond its retention period is permanently deleted. You do not need to request deletion of expired data.

Deletion: You can delete your account and all associated data immediately by going to Settings > Delete Account in the App.
Effect of Deletion: Upon request, we delete your data from Supabase, revoke bank access tokens, anonymise audit logs, and delete all AI-generated insights and history.
AI Consent Withdrawal: When you disable AI features in Settings, we immediately delete your AI insight history and cached AI responses. Anonymised audit logs are retained for the periods stated above for security purposes.

Data Breach Notification: In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34.

---

9. Your Rights

Under the GDPR, you have the right to:

Access the personal data we hold about you (Article 15).
Correct inaccurate data (Article 16).
Request deletion of your data ("Right to be Forgotten") (Article 17).
Request restriction of processing (Article 18).
Request portability of your data (Article 20).
Object to processing based on legitimate interests (Article 21).
Withdraw consent at any time.
Lodge a complaint with a supervisory authority (Article 77) — see Section 14 for contact details.

To exercise these rights, please contact us at support@cozzy.io.

We will respond to your request without undue delay and within one month of receipt. If your request is complex or we receive a high volume of requests, we may extend the response period by a further two months, in which case we will inform you within the first month.

---

10. Automated Decision-Making, Profiling, and AI

10.1 Overview

Cozzy uses artificial intelligence to provide two optional features:

1. Transaction Categorisation — automatically assigns spending categories to your bank transactions.

2. Olivia AI Assistant — provides personalised financial insights, answers questions about your spending, and generates smart alerts.

Both features are powered by Google Gemini (a large language model) running on Google Cloud Vertex AI within the EU (europe-west4 region, Netherlands).

10.2 No Automated Decisions with Legal Effect

These AI features are advisory and informational only. No automated process within Cozzy:

Restricts your access to features or services.
Blocks actions or functionality.
Makes credit, eligibility, or financial decisions on your behalf.
Produces legal effects or similarly significant effects on you.

All feature access is determined solely by your subscription tier. You can override any AI-generated categorisation at any time by manually selecting a different category.

10.3 What Data Is Processed by AI

Before your data is sent to the AI model, we apply comprehensive sanitisation to protect your privacy:

Removed before AI processing: Account numbers, IBANs, sort codes, email addresses, phone numbers, personal names, card numbers, and transaction reference numbers.
Special-category data protection (GDPR Article 9): We detect and exclude transaction descriptions that may reveal health information (e.g. medical providers), religious affiliation, political opinions, or trade union membership. These transactions are never sent to AI.
What is sent: Sanitised merchant names, generalised transaction descriptions (capped at 80 characters), and aggregated financial summaries (e.g. total spending by category, income amounts). No raw bank data is sent.

10.4 Your Control Over AI Features

AI features in Cozzy require your explicit consent before activation. You are in full control:

AI Insights (Olivia): You are prompted to enable or disable AI insights when you first use the App. You can change this at any time in Settings > Preferences > AI Features > AI Insights.
AI Transaction Categorisation: You can enable or disable AI categorisation separately in Settings > Preferences > AI Features > AI Transaction Categorisation.
When AI is disabled: The App continues to work normally. Transactions remain uncategorised (you can categorise them manually), and Olivia's data-driven insights that do not use AI remain available.
Consent withdrawal effect: When you disable AI features, we immediately delete your stored AI insight history and cached responses. Anonymised audit logs are retained for the periods stated in Section 8.

10.5 EU AI Act Transparency (Article 50)

In compliance with the EU Artificial Intelligence Act, we disclose that:

Olivia is an AI system that generates natural-language financial insights. Content produced by Olivia is clearly labelled as "AI-powered by Gemini" within the App.
Individual transactions that were categorised by AI display an "AI" indicator, distinguishing them from manually categorised or rule-based results.
Olivia's outputs are generated by a large language model and may occasionally contain inaccuracies. You should verify important financial information against your official bank statements.
You have the right to request human review of any automated output by contacting us at privacy@cozzy.io.

10.6 Profiling

Cozzy analyses your financial data to identify spending patterns, trends, and categories. This constitutes profiling within the meaning of GDPR Article 4(4).

What we analyse: Transaction history to identify merchant frequency, spending by category, recurring payments, budget adherence, savings rate trends, and unusual spending patterns. These analyses power features such as spending breakdowns, budget tracking charts, savings goal progress, and Olivia's personalised insights.

Consequences for you: The profiling results are displayed to you as informational insights only. They do not restrict your access to any feature, affect your subscription tier, influence credit decisions, or produce any legal or similarly significant effects. You can disable AI-powered profiling at any time via Settings > Preferences > AI Features.

10.7 Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) covering our AI processing and Open Banking data aggregation operations, in accordance with GDPR Article 35. A summary of this assessment is available on request by emailing privacy@cozzy.io.

---

11. Cookie Policy

For full details on how Cozzy uses cookies and similar technologies, please see our standalone Cookie Policy.

In summary, we use: (a) essential cookies and crash reporting (Firebase Crashlytics) that are strictly necessary for the App to function and maintain service reliability (always active, no consent required); and (b) analytics cookies (Firebase Analytics) that require your explicit consent before activation. You can manage your cookie preferences at any time in Settings > Privacy > Cookie Preferences. Following Irish DPC guidance, we ask you to review your preferences every 6 months.

---

12. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including: encryption at rest and in transit (TLS 1.2+), row-level security on all database tables, automated PII scrubbing before external AI processing, rate limiting on all API endpoints, mobile app integrity verification (tamper and jailbreak detection), and access controls based on the principle of least privilege. Bank consent tokens are encrypted with AES-256-GCM at rest.

---

13. Version History

v9 (April 2026): Registered legal entity details (Cozzy Finance Limited); Yapily controller/processor role clarified; expanded profiling disclosure; Crashlytics essential justification; processor legal basis mapping; labelled Data Protection Contact; UK contact point restored.
v8 (April 2026): Named Yapily as Open Banking provider; added Railway, Resend as processors; Vertex AI retention disclosure; DPIA reference; profiling disclosure; security measures section; comprehensive review addressing 25 audit findings.
v7 (March 2026): AI transparency update — Google Vertex AI and Sentry disclosed as processors, EU AI Act Article 50 compliance.
v6 (February 2026): Expanded GDPR rights, UK ICO supervisory authority, data breach notification, ePrivacy cookie basis correction.
v5 (February 2026): Age requirement updated to 16+ per Irish DPA 2018 Section 31, removed advertising.

---

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@cozzy.io
Support: support@cozzy.io
Address: Venture Hub, 136 Capel Street, Dublin 1, Dublin, D01 T2C9, Ireland

You also have the right to lodge a complaint with the Irish Data Protection Commission:

Website: dataprotection.ie
Email: info@dataprotection.ie

If you are based in the United Kingdom, you may also contact the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113